Threat actors, including ransomware groups, initial access brokers, and malware operators, are turning to Telegram to buy illegally obtained login credentials and malware-as-a-service (MaaS) subscriptions.

“Over the past few years, elements of the cybercriminal ecosystem have progressively shifted away from traditional darknet marketplaces and closed forums toward Telegram’s hybrid architecture of public channels, private groups, and automated bots,” cybersecurity firm CYFIRMA says in a recently published blog post.

According to security researchers, Telegram has transformed from a chat application into an automated shopping platform that supports all sorts of malicious activities, including the sale of malware-as-a-service (MaaS) subscriptions, phishing kits, databases, and initial access credentials.

“For financially motivated actors, Telegram functions as a scalable storefront and customer support hub. For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks. In many cases, telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility,” the blog post continues.

It’s not just all about the Benjamins: Telegram has become a platform to recruit skilled operators and hackers to support campaigns. It’s also used to announce targets of cyberattacks, claim responsibility for attacks, brag about attacks, and publish leaked data.

Furthermore, Telegram acts as a leak channel to publicize victims, threaten data exposure, and direct attention to dedicated leak sites. These channels often serve as an additional pressure mechanism, reinforcing extortion demands through public visibility.

Curious what others think about this story? Contribute your thoughts to the debate below.

“The visibility and immediacy of these announcements enhance narrative control, allowing groups to shape perception and maximize media impact regardless of the technical scale of the underlying activity,” security researchers state.

Lastly, Telegram is popular among threat actors because it serves as a backup channel to continue their criminal activities and redirect followers if a hacking forum is taken down, thus minimizing disruption.

This doesn’t signal the end of traditional underground forums. They still serve as the first point of advertisement, where actors post previews of stolen data, access listings, or service promotions. However, Telegram is often promoted as a channel for follow-up engagement.

“Rather than serving merely as a messaging tool, Telegram functions as a connective infrastructure linking access brokers to ransomware affiliates, leak channels to media visibility, and recruitment posts to active operations. As cybercriminal ecosystems continue to adapt, platforms that combine scalability, persistence, and low entry barriers will remain attractive operational environments. Telegram represents a clear example of this evolution,” CYFIRMA concludes.

---

Unlock more exclusive Cybernews content on YouTube.